Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Policy settings being "refreshed" or deleted from registry

Answered Policy settings being "refreshed" or deleted from registry

  • Wednesday, March 06, 2013 4:32 PM
     
     
    Sign In to Vote
    0

    I am running windows 7 & 2008 R2 computers in my network.  I use secedit to push out settings to the following registry areas during the OS install:

    HKEY_LOCAL_MACHINE\Software\Policies
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
    HKEY_CURRENT_USER\Software\Policies
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

    After several months, these settings are deleted by some process.  This only happens to a small number of computers in our domain.  I am wondering what would cause group policy to delete these keys and "start over"?  Is there something that I am unintentionally doing to make Windows refresh all of the group policy settings?

    Thanks.  

     

All Replies

  • Wednesday, March 06, 2013 5:29 PM
     
     
    Sign In to Vote
    0

    Hello,

     I use secedit to push out settings to the following registry areas during the OS install:

    Why don't you use a GPO for those settings?

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Wednesday, March 06, 2013 5:57 PM
     
     
    Sign In to Vote
    0
    Matthias, thanks for the reply.  We have a requirement to have all settings the same on all computers whether they are on or off the domain.  They all use the same install media.  We have not yet decided to deploy these settings via GPO since there are so many that are set.  In short, there isn't a great reason for not using GPO settings.  we just don't yet and won't in the near future.  But, I am still curious about what processes in group policy would erase all settings.   
     
  • Wednesday, March 06, 2013 8:18 PM
     
     
    Sign In to Vote
    0
    Am 06.03.2013 18:57, schrieb Jmoregon:
    > But, I am still curious about what processes in group policy would
    > erase all settings.
     
    in short: GPUPDATE for administrative templates first deletes all
    registry values in your mentioned keys. After that, they are
    re-populated from the current applying adm template settings.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, March 06, 2013 10:32 PM
     
     
    Sign In to Vote
    0
    GPUPDATE for administrative templates first deletes all
    registry values in your mentioned keys. After that, they are

    re-populated from the current applying adm template settings.

    Well, the strange thing is:

     I use secedit to push out settings to the following registry areas during the OS install:

    Secedit could theoretically write all kinds of registry keys or let's say could write to all registry areas, but it should apply security settings not administrative templates.

     We have not yet decided to deploy these settings via GPO since there are so many that are set.

    I got only one advice, if you want to set keys in the administrative templates scope in registry, use a GPO or local policy.
    That will be the most reliable solution.

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Thursday, March 07, 2013 7:33 PM
     
     
    Sign In to Vote
    0

    Martin, I believe that gpudate only deletes settings for which it has a history of applying.  For the settings that it doesn't know about, it won't remove them.  So, when I set these registry settings during install, there is no history of them.  

    Matthias, thanks for the advice.  I am aware that the best way to set these would be via group policy.  The difficulty is the computers that are not on the domain.  I am unable to find a solution for automating the deployment of local group policy to these computers.  If you know of a method of automating the local group policy automatically delivery during OS deployment, that would be very helpful to me.  

    One clue about the deleting settings is that it appears that these computers had at one point zero drive space available on their system drive (C:\) and that seems to be a common thread.  I know that weird stuff can happen if you run out of disk space so maybe the answer is that simple.  

     
  • Thursday, March 07, 2013 7:41 PM
     
     
    Sign In to Vote
    0
    If you use MDT for deployment you can install/import a GPO-pack during installation. Other deployment software, no idea

    --
    Goran Johansson
    http://gjohansson.com/blog

     
  • Thursday, March 07, 2013 8:35 PM
     
     Answered
    Sign In to Vote
    1
    Am 07.03.2013 20:33, schrieb Jmoregon:
    >  If you know of a method of automating the local group policy
    > automatically delivery during OS deployment,
     
    For administrative templates: Fire up gpedit.msc on a reference
    computer, edit ADM templates as needed. Then grab
    %systemroot%\system32\GroupPolicy and all of its contents and inject it
    to new computers.
     
    For security settings: Go as you are already doing.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Thursday, March 07, 2013 9:22 PM
     
     
    Sign In to Vote
    0

    Matthias, thanks for the advice.  I am aware that the best way to set these would be via group policy.  The difficulty is the computers that are not on the domain.

    OK, then why do not disable the GPSVC service?
    This would stop the GPSVC from deleting registry keys.

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Thursday, March 07, 2013 10:58 PM
     
     
    Sign In to Vote
    0

    Martin, I have tried copying the "GroupPolicy" folder but the settings never imported. I think there is a GUID issue. I never did figure it out.  Anyway, I just stumbled on the following MS tool that seems like it will do what I want. I'll have to check it out.

    http://gallery.technet.microsoft.com/LocalGPOmsi-Excellent-MS-2593b2eb

     
  • Thursday, March 07, 2013 11:00 PM
     
     
    Sign In to Vote
    0
    We use (domain ) group policy as well.  We just have a minimum set of base security settings that all computers must have deployed.  In any case, I think I will try to refocus my effort on deploying local group policy in our OS provisioning process.  
     
  • Friday, March 08, 2013 4:26 PM
     
     
    Sign In to Vote
    0

    We use (domain ) group policy as well

    You said:

    The difficulty is the computers that are not on the domain.

    I'm confused.

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Friday, March 08, 2013 7:24 PM
     
     
    Sign In to Vote
    0


    The difficulty is the computers that are not on the domain.  

    Mattias, 

    Meaning that I have to also configure the computers that are not on the domain as well as the computers that are on the domain.  Sorry for the confusion and I appreciate your assistance.  

     
  • Friday, March 08, 2013 9:13 PM
     
     Answered
    Sign In to Vote
    1

    OK, no problem.

    Back to your problem.

    I think Martin already gave us the answer.
    You need to feed the GP-engine with the policy settings.

    Administrative Templates are stored in the registry.pol file.
    You can apply the settings by integrating the files into your image.

    http://www.frickelsoft.net/blog/?p=31

    Security settings will be done by secedit like before.

    I'm not a specialist in Windows Deployment, but I think you can also deploy your image to a test machine (reference computer)
    and then do your local policies and capture the image again.

    http://www.vkernel.ro/blog/sysprep-and-capture-a-windows-image-with-mdt-2012

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Saturday, March 09, 2013 10:32 AM
     
     Answered
    Sign In to Vote
    1

    I'm not a specialist in Windows Deployment, but I think you can also deploy your image to a test machine (reference computer)

    and then do your local policies and capture the image again.

    http://www.vkernel.ro/blog/sysprep-and-capture-a-windows-image-with-mdt-2012

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    I think that would be the preferred method if you don't have an option to deploy a GPO-pack

    --
    Goran Johansson
    http://gjohansson.com/blog

     
  • Wednesday, March 13, 2013 10:03 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Any update?

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Andy Qi
    TechNet Community Support